Get the latest in Federal Compliance news all in one place. 

Bookmark this page for all the latest updates on next year’s most compelling Federal Compliance topics including CMMC, FedRAMP, StateRAMP, and more.

Request a consultation

Catch up on the latest Federal Compliance Webinar

Watch this exclusive Q&A series with Tony Bai, where he provides real insights on the latest in CMMC. 

 Sign up for future Federal Compliance Webinars and get exclusive updates on CMMC.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a framework of five increasingly stringent control levels developed by the Department of Defense to protect its supply chain from cyberattacks.  

CMMC Compliance Checklist

Check out our 5 Steps to CMMC Compliance Checklist to get started on your journey to compliance.


Who is affected by CMMC? 
All government contractors working with the DoD will need to become CMMC-certified by passing an independent CMMC audit from a C3PAO to verify they have met the appropriate level of cybersecurity for their business. The CMMC level required will be specified for each contract by the DoD in the Request for Information (RFI) and Request for Proposals (RFP). 

What’s the difference between NIST 800-171 and CMMC? 
CMMC differs from NIST 800-171 because it includes five levels of cumulative practices and processes – this focus on processes is one major difference. CMMC seeks to institutionalize these processes, so that they will continue to be performed. 

When will you need to meet the appropriate certification level?
Government contractors will need to be compliant at the time the contract is awarded. 

Are subcontractors affected? 
Yes, subcontractors working under a prime contractor will be expected to also maintain compliance. 

Will I need to be re-certified every year?
Yes, CMMC certification is required on an annual basis. 

Tony Bai

About our CMMC team

Tony Bai | Federal Practice Lead

A 20-year Air Force retiree, Tony is responsible for overseeing NIST-based engagements, including FedRAMP, FISMA, and 800-171, and providing cybersecurity advisory and guidance to our clients. He has over 27 years of IT experience with the last 10 years specializing in cybersecurity, providing risk assessments for government agencies and Fortune 500 companies across multiple industries. 

And when he’s not leading the federal team at A-LIGN? You can catch him at comic book conventions or supporting his children’s Boys and Girls Scouts troops.   

Why choose A-LIGN?

Real federal experts, real insights

20 years of Federal compliance experience including FedRAMP, FISMA, and NIST 800-171 

Among the first designated C3PAOs for CMMC